I'm running Istio 1.2.3 in a GKE environment. I've set up the sock-shop demo-application, and am trying to configure HTTP authorization on namespace-level. I've enabled istio's RBAC, and am running the following Servicerole:
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: service-viewer
namespace: default
spec:
rules:
- services: ["*"]
methods: ["GET"]
constraints:
- key: "destination.labels[name]"
values: ["front-end", "catalogue", "catalogue-db", "carts", "carts-db", "queue-master", "rabbitmq", "orders", "orders-db"]
and the following ServiceRoleBinding:
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-service-viewer
namespace: default
spec:
subjects:
- properties:
source.namespace: "istio-system"
- properties:
source.namespace: "default"
roleRef:
kind: ServiceRole
name: "service-viewer"
the sock-shop has been deployed in the default
namespace, whereas istio, as usual, is deployed in the istio-system
namespace.
However, when i connect to the website, only the front-end loads. The front-end is supposed to fetch the catalogue and carts pages. However, as seen in kiali, 100% of the traffic going from the front-end to catalogue and carts ends with a 5xx response code. If i remove istio's RBAC, traffic flows succesfully.